svn commit: r319611 - in head: sys/kern sys/sys usr.sbin/jail

Fabian Keil freebsd-listen at fabiankeil.de
Wed Jun 7 11:25:58 UTC 2017 

Allan Jude <allanjude at FreeBSD.org> wrote:

> On June 6, 2017 5:44:25 AM EDT, Fabian Keil <freebsd-listen at fabiankeil.de> wrote:
> >Allan Jude <allanjude at FreeBSD.org> wrote:
> >  
> >> Author: allanjude
> >> Date: Tue Jun  6 02:15:00 2017
> >> New Revision: 319611
> >> URL: https://svnweb.freebsd.org/changeset/base/319611
> >> 
> >> Log:
> >>   Jails: Optionally prevent jailed root from binding to privileged  
> >ports  
> >>   
> >>   You may now optionally specify allow.noreserved_ports to prevent  
> >root  
> >>   inside a jail from using privileged ports (less than 1024)
> >>   
> >>   PR:		217728
> >>   Submitted by:	Matt Miller <mattm916 at pulsar.neomailbox.ch>
> >>   Reviewed by:	jamie, cem, smh
> >>   Relnotes:	yes
> >>   Differential Revision:	https://reviews.freebsd.org/D10202
> >> 
> >> Modified:
> >>   head/sys/kern/kern_jail.c
> >>   head/sys/sys/jail.h
> >>   head/usr.sbin/jail/jail.8  
> >[...]  
> >> @@ -611,6 +613,8 @@ with non-jailed parts of the system.
> >>  Sockets within a jail are normally restricted to IPv4, IPv6, local
> >>  (UNIX), and route.  This allows access to other protocol stacks that
> >>  have not had jail functionality added to them.
> >> +.It Va allow.reserved_ports
> >> +The jail root may bind to ports lower than 1024.   
> >
> >This description seems to imply that net.inet.ip.portrange.reservedhigh
> >isn't honoured while it actually is.
 
> I think the confusion here is: this option prevents root
> in the jail from using reserved ports. Nonroot users are
> always restricted

I understand that.

My point is the man page addition suggests that the reserved
port range end is hard coded while the actual end can be changed
with net.inet.ip.portrange.reservedhigh.

Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/svn-src-all/attachments/20170607/434b14da/attachment.sig>

More information about the svn-src-all mailing list